Iranian Hacked Computer Controlling US Dam: Prosecutors

One of seven Iranian suspects indicted by the US government and linked to the Iranian government hacked into the system controlling an American dam in 2013, prosecutors announced Thursday.

U.S. authorities announced today charges against seven Iranian nationals for their alleged involvement in cyberattacks aimed at banks and a small New York dam.

According to authorities, the seven suspects are experienced hackers employed by two IT security companies working for the Iranian government, including the Islamic Revolutionary Guard Corps. The attacks launched by these individuals, all of whom are still at large, are said to have cost victims tens of millions of dollars.

The alleged hackers indicted today are believed to be responsible for the distributed denial-of-service (DDoS) attacks launched against 46 U.S. banks between late 2011 and mid-2013.

One of the suspects, Hamid Firoozi, has also been charged in connection to a hacker attack targeting the Bowman Dam in Rye, New York. Authorities said he repeatedly breached the dam's computer systems between August and September 2013, allowing him to obtain information about the status and operation of the facility.

In a presentation at the RSA Conference, Andre McGregor, former FBI cyber special agent and current director of security at Tanium, said the attackers breached the New York dam after finding one of the facility’s Windows XP machines on the Internet using the Shodan search engine. They gained access to the device by brute-forcing its password, which was “666666.”

The expert said the attackers believed the dam was much bigger than it actually was, and while they managed to access its control systems, they couldn’t cause any damage because the facility was not functional at the time. McGregor noted that a group acting as a front for the Iranian Revolutionary Guard Corps took credit for the attack only after U.S. authorities made the incident public.

“At the time of his alleged intrusion, the dam was undergoing maintenance and had been disconnected from the system. But for that fact, that access would have given him the ability to control water levels and flow rates – an outcome that could have posed a clear danger to the public health and safety of Americans,” said Attorney General Loretta E. Lynch.

In an interview with SecurityWeek, McGregor said the US determines the source of an attack based on evidence collected from the systems of targeted organizations, and information from intelligence community partners involved in cyber intelligence collection outside the United States, such as the CIA, the NSA and the Department of Defense.

Iranian hackers are believed to be responsible not only for the attacks on banks and the New York dam, but also the operations aimed at Saudi Arabian oil company Saudi Aramco and the Sands Casino in Las Vegas.

The news that Iranian hackers have been indicted comes just days after US authorities unveiled criminal charges against three alleged members of the Syrian Electronic Army hacktivist group. The suspects, Syrian nationals Ahmad Umar Agha, Firas Dardar and Peter Romar, have been charged with conspiracy, unauthorized access to computers, receiving the proceeds of extortion, money laundering and wire fraud.

The FBI also announced that it added Agha and Dardar, who are both believed to be residing in Syria, to its "Cyber Most Wanted" list, offering $100,000 for information leading to their arrest.

"While the attackers don't appear to have penetrated the dam's operational systems, this event is a reminder of how important it is for us to protect critical infrastructure, whether at the nation-wide, state, local, or private sector level," Steve Grobman, Intel Security CTO, told SecurityWeek.

"This event is also a reminder that cyber-attack and cyber-exploitation tools and expertise are available to those willing to pay for them," Grobman added. "An entire underground cyber-exploitation ecosystem has evolved, where the latest malware and hackers services to execute attacks can be purchased. This magnifies the capabilities of a less resourced entity to launch sophisticated attacks."

"It's a matter of resources, motivation, persistence, and opportunity," he said.

Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.